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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the application: 
Listing of Claims: 

(Previously cancelled) 
(Cancelled) 
(Previously cancelled) 
(Cancelled) 
(Previously cancelled) 
(Cancelled) 
(Previously cancelled) 
(Cancelled) 
(Previously cancelled) 
(Cancelled) 

128>\(New) A user authentication method for a communication network having a 
plurality of nodes, thevmethod comprising: 

entering on a first nbcte first user identification information; 

transmitting to an authentication agent on a second node communicating with the first 
node over a LAN link the first user identification information; 

relaying from the authenticatioi^agejit to an authentication server the first user 
identification information; 

comparing on the authentication server the first uW^dentification information with user 
identification information in a database of user identification information; and 

transmitting from the authentication server to the authenti^ti^agent, if the first user 
identification information matches user identification information in th^database of user 
identification information, information notifying the authentication agent that a u$er on the first 
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aode has been authenticated whereupon the authentication agent authorizes transmission on the 
second node of packets in data flows involving the first node, 

wherein the first user identification information is transmitted to the authentication agent 
as partVf a MAC-based authentication flow between an authentication client on the first node 
and the authentication agent. 

129. (Mew) The method of claim 128, further comprising relaying from the 
authentication agent to the authentication client as part of the MAC-based authentication flow 
the notification information. 



130. (New) The^method of claim 128, further comprising, prior to transmitting the 
first user identification information to the authentication agent, transmitting from the 
authentication client to the authentication agent as part of the MAC-based authentication flow a 
request to establish an authentication session. 



131. (New) The method ofVlaim 128, further comprising transmitting from the 
authentication client to the authentication\gent.as part of the MAC-based authentication flow a 
logoff request, whereupon the authentication^gent revokes the authorization. 



132. (New) The method of claim 128\^further comprising transmitting from the 
authentication server to the authentication agent, if the^irst user identification information does 
not match user identification information in the database, second information notifying the 
authentication agent that the user on the first node ^as failed to become authenticated, 
whereupon the authentication agent fails to authorize transmission on the second node of packets 
in data flows involving the first node and relays to the authentication client as part of the MAC- 
based authentication flow the second notification information. 



133. (New) The method of claim 132, wherein if the authentication agent determines 
that the user has made a predetermined number of failed authentication attempts, the 
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authentication agent transmits to the authentication client as part of the MAC-based 
authentication flow information notifying the authentication client that further authentication 
attempts will be inhibited. 

134v (New) The method of claim 128, wherein the packets transmitted pursuant to the 
authorization are neither encrypted nor decrypted by the second node. 

135. (New,) A user authentication method for a communication network having a 

plurality of nodes, the\nethod comprising: 

entering on a firsKiode first user identification information; 
\ 

transmitting to an authentication agent on a second node communicating with the first 
node over a LAN link the first user identification information; 

\ 

relaying from the authentication agent to an authentication server the first user 
identification information; \ 

comparing on the authentication server the first user identification information with user 
identification information in a database ofHiser identification information; and 

transmitting from the,authentication\server to the authentication agent, if the first user 
identification information matches user identification information in the database of user 
identification information, information notifying\he authentication agent that a user on the first 
node has been authenticated whereupon the authentication agent authorizes transmission on the 
second node of packets in data flows involving the first node, 

wherein the authorization comprises authorizing^ interface to the LAN link to allow 
packets in data flows. 

136. (New) The method of claim 135, wherein the interface is on the second node. 

137. (New) The method of claim 135, wherein the LAN link is an Ethernet link. 
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138. (New) The method of claim 135, wherein the authentication server is a RADIUS 



server.x 



139\ (New) The method of claim 135, wherein the authentication server is on a third 



node. 



140. (New) The method of claim 135, wherein prior to the authorization, the second 
node drops all packets received from the first node that are not part of an authentication flow. 



141. (New) The method of claim 135, wherein prior to the authorization, the second 
node drops all packets received from the first node that are not addressed to the authentication 
agent. 



142. (New) A user authentication method for a communication network having a 
plurality of nodes, the method comprising: 

entering on a first node first user identification information; 

transmitting to an authentication agent on a second node communicating with the first 
node over a LAN link the first user identificatibnsinformation; 

relaying from the authentication agent \p an authentication server the first user 
identification information; 

comparing on the authentication server the first user identification information with user 
identification information in a database of user identification information; and 

transmitting from the authentication server to the authentication agent, if the first user 
identification information matches user identification information in the database of user 
identification information, information notifying the authentication^agent that a user on the first 
node has been authenticated whereupon the authentication agent authorizes transmission on the 
second node of packets in data flows involving the first node and on^\or more nodes reachable 
by the first node via the second node and relays to the first node the notification information. 
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143. (New) The method of claim 142, wherein prior to the authorization, the second 
nod^inhibits transmission to any nodes reachable by the first node via the second node of all 
packet^received from the first node that are not part of an authentication flow. 

144\ (New) The method of claim 142, wherein prior to the authorization, the second 
node inhibits transmission to any nodes reachable by the first node via the second node of all 
packets receivedVom the first node that are not addressed to the authentication agent. 

145. (New)\The method of claim 142, further comprising, prior to transmitting the 
first user identification information to the authentication agent, transmitting from the first node to 
the authentication agent a request to establish an authentication session. 



146. (New) The metho^of claim 142, further comprising transmitting from the first 
node to the authentication agent a logoff request, whereupon the authentication agent revokes the 
authorization. 




147. (New) The method of claim 142, further comprising transmitting from the 
authentication server to the authentication agerit; if the first user identification information does 
not match user identification information in thK^database, second information notifying the 
authentication agent that the user on the first node has failed to become authenticated, 
whereupon the authentication agent fails to authorize transmission on the second node of packets 
in data flows involving the first node and any nodes reachable by the first node via the second 
node and relays to the first node the second notification information. 



148. (New) The method of claim 147, wherein upon receipt of the second notification 
information, the authentication agent determines the number of failed authentication attempts 
made by the user. 
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149. (New) The user authentication method of claim 148, wherein if the authentication 
agent aetermines that the user has made a predetermined number of failed authentication 
attempts, the authentication agent inhibits further authentication attempts. 

150. (New) The user authentication method of claim 148, wherein if the authentication 
agent determines that the user has made a predetermined number of failed authentication 
attempts, the authentication agent transmits to the first node information notifying the first node 
that further authentication attempts will be inhibited. 



151. (New) A user authentication method for a communication network having a 
plurality of nodes, the method^comprising: 

entering on a first node first user identification information; 

\ 

transmitting to an authentication agent on a second node communicating with the first 
node over a LAN link the first user identification information; 

\ 

relaying from the authentication agent to an authentication server the first user 
identification information; 

comparing on the authentication serW the first user identification information with user 
identification information in a database of useNidentification information; and 

transmitting from the authentication server to the authentication agent, if the first user 
identification information matches user identification information in the database of user 
identification information, information notifying the authentication agent that a user on the first 
node has been authenticated whereupon the authentication agent authorizes transmission on the 
second node of packets in data flows involving the first n^de, 

wherein the packets that are transmitted pursuant to the authorization bypass the 
authentication agent. 

152. (New) A user authentication method for a communication network having a 
plurality of nodes, the method comprising: 

entering on a first node first user identification information; 
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transmitting to an authentication agent on a second node communicating with the first 
nod^pver a LAN link the first user identification information; 

relaying from the authentication agent to an authentication server the first user 
identification information; 

comparing on the authentication server the first user identification information with user 
identification information in a database of user identification information; and 

transmittin^from the authentication server to the authentication agent, if the first user 
identification infonr\ation matches user identification information in the database of user 
identification information, information notifying the authentication agent that a user on the first 
node has been authenticated and information identifying a VLAN for which the user has been 
authenticated whereupon the^authentication agent authorizes transmission on the second node of 
packets in data flows that involve the first node and are within the VLAN. 



153. (New) The method\of claim 152, wherein the information notifying the 
authentication agent that the user on the^first node has been authenticated and the information 
identifying the VLAN for which the user has been authenticated are transmitted from the 
authentication server 

to the authentication agent in the same packet. 

154. (New) The method of claim 152, wherein one or more of the packets that are 
transmitted pursuant to the authorization are appended\n the second node and transmitted from 
the second node to a backbone network with an identifier^the VLAN. 

155. (New) The method of claim 152, further comprising dropping on the second node 
of packets in data flows involving the first node and other nodes that are not within the VLAN. 

156. (New) The method of claim 152, further comprising, before the authorization, 
dropping on the second node of packets in data flows involving the firs^node. 
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157. (New) The method of claim 152, further comprising, after the authorization, 
forwarding on the second node of packets in data flows involving the first node and other nodes 
that are withfruhe VLAN. 

158. (Newj^Ehe method of claim 152, wherein the first user identification information 
is transmitted from the^^ts.node to the authentication agent as part of a MAC-based 
authentication flow between an authentication client on the first node and the authentication 
agent. 

159. (New) The method of claim 152, wfierein the authorization comprises authorizing 
an interface to the LAN link to allow packets in data flovk 




160. (New) The method of claim 152, wherein the^packets that are transmitted 
pursuant to the authorization bypass the authentication agent. 



